EDRi-gram newsletter - Number 9.24, 14 December 2011

EDRI-gram newsletter edrigram at edri.org
Wed Dec 14 11:56:31 PST 2011



biweekly newsletter about digital civil rights in Europe

Number 9.24, 14 December 2011


Support EDRi!
1. Council of Europe and European Commission initiatives on Internet freedom
2. Brief overview of the leaked EU Data Protection Regulation
3. Russian Government's new attempts to censor the Internet
4. European Parliament: raising awareness on "self"-regulation
5. Austria: Petition against Data Retention Directive
6. German web blocking law repealed
7. A fair Internet for all?
8. Transatlantic data privacy in debate at Privacy Conference
9. UK: Medical records in the open data programme?
10. Recommended Action
11. Recommended Reading
12. Agenda
13. About

Support EDRi!

Increasingly, your digital freedom is under threat. And unfortunately,
mostly as a result of European rules. Europe agreed to transfer your travel
data wholesale to the US. Europe obliged your telephone provider to store
your location, sometimes for up to two years. And Europe is considering
blocking websites and domain names. The list goes on.

This needs to stop. European Digital Rights (EDRi) defends your digital
freedom in Europe and needs your help. With a continuous stream of proposals
that risk eroding digital civil rights in Europe, your donation could make a
huge difference. The main goal at the moment is to keep funding the Brussels
office. This would allow us to continue to fight on all fronts mentioned

If you didn't know yet, EDRi is a European non-governmental digital rights
organisation. We defend rights such as the freedom of expression, privacy,
data protection and access to knowledge. EDRi was founded in 2002 by 10
organisations from 7 European countries. Since then, EDRi membership has
grown consistently. Currently, EDRi represents 28 organisations from 18
countries in Europe. To find out more about our activities, you can read our
Annual Reports 2009 and 2010 or continue in reading EDRi-gram to be update
on a regular basis.

If you wish to help EDRi promote privacy and fundamental rights by
supporting our specialised office in Brussels, you may donate now to:

European Digital Rights Aisbl
Bank account nr.: 733-0215021-02
IBAN: BE32 7330 2150 2102

Beyond donations, you can always support EDRi!

Read and Share our Annual reports

Flattr Us!

Promote the subscription to EDRi-gram, our free bi-weekly newsletter on
digital civil
rights in Europe

Add a link or image to your website. Here are some images you might use:

Volunteer! If you have some time and effort to spare we are always
looking for volunteers to help us in our work. Let us know what you're good
at and how you may help and we'll find a way to collaborate together.

Follow us on Twitter!

Check out EDRi on YouTube and Vimeo

This is the last issue of EDRi-gram for this year, so we would like to thank
our loyal readers for their time, hints and feedback!!
Stay tuned for the next EDRi-gram, which will be published on 18 January

1. Council of Europe and European Commission initiatives on Internet freedom

On 8 December, the Council of Europe launched a very important Declaration
on "the protection of freedom of expression and freedom of assembly and
association with regard to privately operated Internet platforms and online
service providers." The text picks up many of the themes and priorities of
EDRi's study, published in January of this year, on the "Slide from
Self-Regulation to Corporate Censorship".

The text explains that "although privately operated, they are a significant
part of the public sphere through facilitating debate on issues of public
interest; in some cases, they can fulfil, similar to traditional media, the
role of a social "watchdog" and have demonstrated their usefulness in
bringing positive real-life change".

In the context of the positive obligations of states party to the Convention
on Human Rights to defend the rights in that instrument, the Declaration
explains that "direct or indirect political influence or pressure on new
media actors may lead to interference with the exercise of freedom of
expression, access to information and transparency, not only at a national
level but, given their global reach, also in a broader international

The resolution explains that "the companies concerned are not immune to
undue interference; their decisions sometimes stem from direct political
pressure or from politically motivated economic compulsion, invoking
justification on the basis of compliance with their terms of service". The
text concludes by alerting "member States to the gravity of violations of
Articles 10 and 11 of the European Convention on Human Rights which might
result from politically motivated pressure exerted on privately operated
Internet platforms and online service providers, and of other attacks
against websites of independent media, human rights defenders, dissidents,
whistleblowers and new media actors."

Four days after the Council of Europe Ministerial Declaration was launched,
European Commissioner Vice President Neelie Kroes launched a "no disconnect
strategy" to "uphold the EU's commitment to ensure human rights and
fundamental freedoms are respected both online and off-line, and that
internet and other information and communication technology (ICT) can remain
a driver of political freedom, democratic development and economic growth."

The ambition of the announcement is quite limited in the first instance -
only addressing breaches of freedom of communication where "Europe perceives
that a vibrant and open Internet is not the norm or where grave human rights
abuses take place." While this lack of ambition is likely to come in for a
degree of criticism, it is nonetheless a step forward and should be
recognized and applauded as such.

One reason for the lack of ambition is the large range of restrictive
measures imposed by European countries in generally unsuccessful attempts to
enforce copyright. Currently, these include policies such as Internet
blocking, abuses of personal data and legal coercion of unconvicted
citizens. As if to underline the self-consciously contradictory nature of
the EU's policies in this area, Commissioner Kroes asked the unrepentant
German (alleged) plagiarist Mr Karl-Theodor zu Guttenburg (originally
described as representing US pressure group CSIS.org. that is not on the EU
transparency register) to work on the project with her. Mr zu Guttenberg is
best known for being shown to have copied his PhD thesis and, as a result,
having to resign from his former post as German Defence Minister. He is also
infamous for, together with his wife, launching a proposal for mandatory web
blocking in Germany.

Commissioner Kroes' obviously refined sense of irony failed to impress a
large number of online commentators, with a flurry of criticism appearing on
social media and on the Commissioner's blog.

Commissioner Kroes' response to criticism (13.12.2011)

EDRi study - "Slide from Self-Regulation to Corporate Censorship"

Council of Europe Committee of Ministers Declaration on the protection of
freedom of expression and freedom of assembly and association
with regard to privately operated Internet platforms and online service
providers (7.12.2011)

European Commission press release - Digital Agenda: Karl-Theodor zu
Guttenberg invited by Kroes to promote internet freedom globally

Mr zu Guttenberg's Phd scandal (1.03.2011)

Mrs zu Guttenberg's child protection activities (19.10.2011)

Legal coercion of EU citizens for copyright enforcement

(Contribution by Joe McNamee - EDRi)

2. Brief overview of the leaked EU Data Protection Regulation

Last week, Europe was able to get a first glance at the "General Data
Protection Regulation" thanks to a leak by Statewatch. It is due to be
officially published on 25 January 2012 and will repeal the outdated Data
Protection Directive from 1995. It keeps the Directive's key principles but
also aims at taking into account the technological developments. It aims at
greater harmonisation and more "coherent" rules: "Differences in the level
of protection of the rights and freedoms of individuals may therefore
constitute an obstacle to the pursuit of economic activities at the level of
the Union, distort competition and impede authorities in the discharge of
their responsibilities under Union law."

The draft regulation introduces new rights and new definitions. Sensitive
data are now redefined to cover genetic and biometric data. The definition
of a data subject is mildly extended to a person who can be identified
directly or indirectly by the controller or "any natural or legal person".
New rights include clearer rights on data portability. It also introduces
mandatory reporting of data breaches as well as new competences and powers
for supervisory authorities in terms of independence and capacity. Moreover,
the regulation (article 63) establishes a European Data Protection Board
which is going to replace the existing Article 29 Working Party.

Article 2 of the Regulation defines the scope and states that it also
"applies to the processing of personal data of data subjects residing in the
Union not carried out in the context of the activities of an establishment
of a controller in the Union, where the processing activities are directed
to such data subjects, or serve to monitor the behaviour of such data
subjects." It will thus apply to businesses that have entities in Europe,
use equipment in the EU to process data or who have data processing
activities directed to EU data subjects or served to monitor their

Users can still make requests to access their data and ask for erasure. This
"right to be forgotten" (Art. 15) is basically a re-packaging of the already
existing right to deletion after the purpose has been fulfilled (Art. 12 of
Directive 95/46/EC). The current draft proposal goes further than the 1995
Directive proposing the right to erasure if the data are no longer necessary
or if the data subject withdraws his/her consent, including the right to
erasure of any public Internet link to, copy or replication of personal data
relating to the data subject in any public communication service. This
especially applies "in relation to personal data which are made available by
the data subject while he or she was a child".

It has already been argued that the article on the right to be forgotten was
not particularly well drafted and could therefore have serious and obviously
unintended implications for freedom of speech. Even though one of the aims
of this article is to counter the loss of purpose limitations in social
media, it must be carefully drafted to avoid its potential misuse as a tool
for censorship. It has also been criticised as data controllers, for
instance blogs or other independent media that do not comply with the 'right
to be forgotten', could be fined between 500 and 600 000 Euros.

One of the elements of the draft regulation that can be applauded is
represented by articles 37 and 42 which regulate data processing by third
countries. Data can be transferred to a third country only if certain
criteria are met to ensure the level of protection of individuals for the
protection of personal data. Article 42 addresses extra-territorial actions
by third countries such as the USA Patriot Act and the USA Foreign
Intelligence Surveillance Act and imposes barriers for foreign judicial
authorities to access European data. This article is particularly
interesting with regard to the US requests for European data such as the
request for twitter account details of European citizens that might be
related to WikiLeaks.

Proposal for a Regulation on the protection of individuals with
regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation)

9 Reasons Why a 'Right to be Forgotten' is Really Wrong (8.12.2011)

A quick review of the draft EU Data Protection Regulation- Privacy
International (8.12.2011)

(Contribution by Kirsten Fiedler - EDRi)

3. Russian Government's new attempts to censor the Internet

Especially during the period before and immediately after the Russian
parliamentary elections of 4 December 2011, government censorship
attacked not only traditional media, but also the Internet, which plays
now a very important role in the political debate in Russia with more than
51 million users.

An order from the Federal Security Service (FSB) asked social network
Vkontakte, with more than 5 million Russian users, to block the websites of
seven groups calling for demonstrations during the election days. As the
network refused to obey, Pavel Durov, its founder and director general, was
summoned to the Saint Petersburg prosecutor's office.

"This unreasonable order aims to deprive Internet users of the freedom of
expression, opinion and assembly. The authorities are using prevention of
violence as a pretext for reinforcing control of the Internet," Reporters
Without Borders said.

The Ria Novosti news agency was also allegedly ordered to clear its website
of any foreign news reports critical of Putin. Grigory Okhotin, recently
resigned from Inosmi, a Ria Novosti offshoot translating foreign media
articles into Russian and posting them on its website, stated on 26 November
that he had received an internal email from the head of the Internet
department asking all employees "not to post any article hostile to Putin
and United Russia on the site" during the week prior to the elections.

Also, reporters, photographers and bloggers that are critical to the
government were arrested either in the days previous to the elections or
while peacefully protesting in Moscow against the results of the
parliamentary elections and the irregularities that accompanied the polling.

Even regional forums were targeted. On 15 November, the police went to the
web-hosting company Agava Hosting and seized the server of Kostroma Jedis,
the region's most popular forum with 12 000 daily visitors, for having
posted two satirical videos criticizing governor Igor Slyunyayev.

Besides these attempts to stop protests directly, the Government also used
cyber attacks against blogs and Twitter accounts which have been flooded
with pro-government messages. Furthermore, several websites that are
critical of the government were blocked by Distributed Denial of Service
attacks before and during the elections. For instance, LiveJournal, a blog
platform hosting many anti-government blogs, was made inaccessible for three
days starting with 1 December.

Russia is classified as a "country under surveillance" in the latest
Reporters Without Borders press freedom index, and is part of the "Enemies
of the Internet" list in its latest report.

Vkontakte social network targeted by security services (9.12.2011)

Political debate disrupted by cyber-attacks and arrests (5.12.2011)

Russia: Election Day DDoS-alypse (5.12.2011)

Russia: The Revolt of "Net Hamsters" (5.12.2011)

4. European Parliament: raising awareness on "self"-regulation

What better way to raise awareness on private policing on the Internet than
to organise a workshop in the European Parliament and let the stakeholders
answer the question: "Self-regulation: Should online companies police the
internet?" On 7 December 2011 MEP Marietje Schaake organized, with support
from EDRi, an event on this issue. Among the speakers were representatives
from the European Commission, the content and internet industries and
civil society.

Representatives from the European Commission constituted the first panel.
Werner Stengg, from Directorate General Internal Market and Services, Head
of Unit Online Services, said, with regard to the E-commerce Directive,
there was no need for revision but a need for clarification on the "Notice
and Takedown" (now significantly broadened to "Notice and Action" - which
would cover any action by any intermediary rather than just hosting and mere
conduit providers). However three major, partially contradictory, issues
were raised in the consultation that need to be further discussed for 3
1) takedowns are slow or not happening;
2) fragmentation of the rules;
3) there are civil rights at stake (particularly due to incentives to
takedown content leading to excessive takedowns; no fair appeal procedure;
lack of transparency).

On 11 January 2012, there will be a communication on the E-commerce
Directive. He agreed that the important issue was the liability regime,
however he had no idea on the outcome of his ongoing work on "Notice and
Action". He said that the Commission did not reject the idea of "Notice and
Notice". They are going to take every solution proposed into account and
analyse the pros and cons, before making any decision. Detailed analysis on
this point will not be in the Communication but will follow in the second
half of 2012.

Nicole Dewandre, special advisor to the Director General advisor for
Directorate General Information Society, talked about the Corporate Social
Responsibility (CSR) communication, which puts into place 2 actions:
firstly, a multistakeholder approach to Corporate Social Responsibility and
secondly, the improvement of self- and co-regulation processes. The DG
focuses on the Internet and the digital transition.

In the first round of questions, the audience raised the question on how the
right to fair trial/due process is going to be guaranteed, especially as
there are already examples of monitoring uploaded content operated via the
content ID platform. The 2003 inter-institutional agreement between the
Commission, Council and Parliament, which excludes self-regulation in cases
where fundamental rights are involved, was also evoked. However, no
conclusive response was given by DG InfSo on that concern. Finally, the
issue of how the concept of "do not track" would be implemented was raised,
due to doubts of some participants that this was working as a
self-regulation initiative. Wouldn't more regulation be a better solution
more than self-regulation?

In the second panel, Chris Ancliff, General Counsel of Warner Music Group,
and member of the board of directors of IFPI (International Federation of
Phonographic Industry) stated that ISPs help illegal content and businesses
to flourish. According to him, ISPs, search engines, credit card
companies and advertisers have their role to play in the enforcement of
copyright law. In his mind, asking ISPs to block access was not
unreasonable. He also said that ISPs have much to gain in the process
and that the only losers would be the pirates.

Joe McNamee of EDRi briefly described ten of the main misunderstandings that
led to self-regulation proposed by some policy-makers and industry
representatives. For example, he underlined that "self"-regulation is not an
isolated issue, that ISPs were not the right entities to enforce criminal
sanctions and that it often had unintended negative consequences on

Chris Smith, representing composers and songwriters, focused on the question
of "who feeds the artist?" He also said that the ISPs must take
responsibility for the environment they created and are benefitting from.

According to the President of EuroISPA, Malcolm Hutty, Internet
intermediaries find themselves in the middle of an argument with EDRi on one
side and IFPI on the other. The issue however is far broader than copyright
since many different parties are interested in having ISPs police the
internet. ISPs face an important problem, how do deal with potentially
illegal content without causing harm to other interests? Transparency on
network management and removed material is important, but are ISPs the
competent and adequate bodies to deal with illegal/potentially illegal
content? Since blocking measures must be regulated, transparent and
proportionate, adequate safeguards must be put into place and he welcomed
the Directive on sexual exploitation of children on this point (which
rejected mandatory EU-wide blocking). Safeguards
in that Directive mean new rights granted to the citizens. Technical
measures are sometimes not possible and have consequences on reliability and

Jermyn Brooks gave a brief introduction to the Global Network Initiative
(GNI) which was created as a multi-stakeholder initiative in order to
provide maximum transparency for users and set global standards for industry
in a self-regulatory model. In his opinion, self-regulation would be a good
solution to keep up with a quickly changing environment. However it should
not replace due process. GNI is looking for the right balance between the
principles of freedom of expression and privacy and security.

Marietje Schaake underlined the fact that there was a hierarchy between
fundamental rights. She asked if the cost of enforcement was not
disproportionate to the benefits.

To perfectly end the workshop, Malcolm Hutty stressed the necessity of
applying the rule of law to the online environment.

"Self"-regulation: Should online companies police the internet?

Joe McNamee's speech (7.12.2011)

Video of the event - summary (14.12.2011)

(Contribution by Marie Humeau - EDRi)

5. Austria: Petition against Data Retention Directive

Today, 14 December 2011,  the Austrian Arbeitskreis Vorratsdaten (Working
Group against Data Retention Austria - AKVorrat.at) handed over a petition
to the Austrian Parliament, asking for the government to be obliged to
engage against the Data Retention Directive at the EU level and to evaluate
the whole set of existing anti-terror legislation.

Six years after the Data Retention Directive passed the European Parliament,
but only a few months after it was transposed into the national law, the
activists of AKVorrat presented the petition together with 4.471 Signatures
to the vice-director of the Austrian Parliament, Susanne Janistyn.

The Austrian Parliament has only recently introduced the possibility to sign
petitions online on its website, after they have been successfully submitted
on paper. Therefore, today's event in the Parliament only marks a mid-term
goal for AKVorrat. Starting form Monday next week a broad online campaign
will be launched to reach the goal of 10 000 signatures online. Austrian
citizens starting from the age of 16 are entitled to sign petitions on the
Parliament's website.

While data retention is the most prominent issue of the campaign, the
petition also targets the countless number of laws implemented with the
argument of fighting terrorism. Therefore, the Austrian Parliament is asked
to evaluate all of these laws and to abolish them, if they are found not to
be proportionate or necessary in a democratic society.

Only in April this year the Data Retention Directive was transposed into the
national Austrian law, which will come into force on 1 April 2012. From this
date on, Austrian citizens will have the opportunity to file complaints
against this law with the Constitutional Court of Austria. AKVorrat is
committed to use this opportunity extensively.

The Austrian Working Group to abolish the EU data retention directive visits
the vice-director of the Parliament Susanne Janistyn (14.12.2011)

Online-Campaign "Stoppt die Vorratsdatenspeicherung!" (only in German)

Arbeitskreis Vorratsdaten Vsterreich (AKVorrat.at) (only in German)

EDRi-gram 9.9:Data Retention has arrived in Austria (4.05.2011)

(contribution by Andreas Krisch - EDRi-member VIBE!AT - Austria)

6. German web blocking law repealed

After more than two years of discussions and opposition, on 1 December 2011,
the German Parliament has finally taken the decision to drop the Access
Impediment Act, the law that proposed blocking access to websites deemed to
have child pornographic content.

The decision was already considered by the German Government in April 2011
after the law had proven inefficient for its initial purpose of fighting
child pornography and after being largely opposed by freedom activists. An
online petition to have the law overturned was signed by 130 000 people. The
decision to have such sites blocked was "ineffective, counterproductive and
represented the beginning of internet censorship," said EDRi-member Chaos
Computer Club.

The law was asking ISPs to ban a list of websites compiled and considered as
"dubious" by the Federal Criminal Police Office. As in other cases, the
blocking measures proved to be easy to circumvent and therefore inefficient.
"Internet blockings are pointless. I need around five minutes to reconfigure
my browser if I want to view that material," said programmer and Pirate
Party member Stephan Urbach.

According to many experts, the only efficient method is deleting content.
"For years, the Internet industry has been working on the continued
improvement of successful deletion. This includes securing any evidence to
the end of criminal prosecution as well as international cooperation. Now,
it only takes us a few days to take illegal content off the net," stated
Oliver S|me, Vice-President of German Internet Industry Association.

According to Justice Minister Leutheusser-Schnarrenberger, the German
decision to abolish the Access Impediment Act will influence the decisions
taken at the European level.

The next steps are now with the Federal Council that needs to accept the
law, the President to sign it and then to be published in the German Federal
Law Gazette.

Bundestag looks to delete child pornography websites (2.12.2011)

Access Impediment Act repealed (only in German, 1.12.2011)

Access Impediment Act repealed (only in German, 1.12.2011)

EDRi-gram: German Internet blocking law to be withdrawn (6.04.2011)

7. A fair Internet for all?

On 1 December 2011, the European Parliament's European People's Party (EPP)
group presented their strategy paper "A fair Internet for all -
Strengthening Our Citizens' Rights and Securing a Fair Business Environment
in the Internet". In this webstreamed hearing, the MEPs discussed the main
issues of the paper such as net and "search" neutrality, social networks,
online behavioural advertising, anonymity of users, cloud computing and
intellectual property rights. This was followed by an exchange of views with
Google, Facebook and Microsoft and the German Federal data protection
commission - who are, ostensibly "the" stakeholders in European Internet
regulation. Unfortunately, the EPP did not invite any civil society

The strategy paper acknowledges that the Internet has created a new world of
possibilities and is an essential tool for communication, innovation, and
economic growth. It contains many positive elements such as a very strong
chapter on Net neutrality. The EPP group recognises that a neutral and open
free Internet represents guiding principle which must be preserved as a
policy objective. The group therefore urges the Commission to adopt further
measures to guarantee Net neutrality. Furthermore, the text defends privacy
by design, strong data protection rules in general and the need for better
harmonisation in order to avoid forum shopping. European standards should be
applied by companies where data is collected within the EU and transferred
to third countries.

While being a solid document overall, there is also some lack of coherence
on certain points. In section 3.a of its strategy paper, the EPP suggests
to further explore a "modification of the liability regime for
intermediaries". However, the EPP (and the European Parliament as a whole)
has already given its consent to the Free Trade Agreement with South Korea
in 2010, which basically copies the articles on intermediary liability of
the E-Commerce Directive into the Agreement and binds the European Union
with regard to the intermediary liability regime. Furthermore, this proposal
contradicts the EPP's principled position on net neutrality, which strongly
speaks in favour of the defence of the neutral role of Internet

The EPP also adopts a very good position on profiling, stating that such
practices should be prohibited, but unfortunately has also given its consent
to agreements that allow profiling and data mining, such as the passenger
name record (PNR agreements) with third countries, such as Australia.

Hidden in its very last section on quality journalism online, the EPP's
paper introduces ancillary copyright provisions. It should be noted that in
September 2011, the German government announced to be in the process of
preparing a draft legislative proposal for ancillary copyright provisions.
This push for ancillary copyright provisions on a European level has already
been demanded by German chancellor Angela Merkel. However, ancillary
copyright provisions have already been harshly criticised by civil rights
groups, such as the initiative IGEL, stating that such provision would limit
the freedom of communication. The introduction of new copyright provisions
seems indeed unnecessary since publishers are already protected by copyright
provisions and get usually extensive rights by journalists through contracts
or general terms and conditions.

Overall, the EPP's strategy paper contains many good points and its adoption
should help facilitate discussions on the contradictions between principles
and practice that it has brought to light.

EPP Strategy Paper "Fair, Open and Secure Internet" (1.12.2011)

Video - EPP presents its strategy paper (1.12.2011)

Initiative IGEL against ancillary copyright provisions (only in German)

(Contribution by Kirsten Fiedler - EDRi)

8. Transatlantic data privacy in debate at Privacy Conference

The 2nd edition of the Annual European Data Protection and Privacy
Conference took place on 6 December 2011, mostly featuring speakers pulled
from its corporate sponsors, although it also included a few key European
institutions' representatives and data protection officials. There was no
place here for the civil society's voices apart from a representative from
BEUC, the European Consumers' Organisation.

The most interesting part of the conference were Viviane Reding and Cameron
Kerry's prepared speeches about the "Transatlantic solutions for data
privacy", the Vice President and Commissioner for Justice, Fundamental
Rights and Citizenship of the European Commission, and the General Counsel
at the US Department of Commerce respectively. Ms. Reding announced that her
office wants to "create a level playing field for companies", is "against
inconsistent rules because they are against business". She also recommended
the adoption and use of binding corporate rules in that regard; and
explained that she is in favour of the rule of "main establishment" to
decide when the EU data protection rules apply to companies. She announced
the following four rules as being the most important ones of the upcoming
European Commission's data protection regulatory framework: an easier access
to one's own personal data, a right to data portability, the acknowledgement
of the right to forget, and clearer rules for international data transfers.
She also made the point that, although she favours cloud computing in
Europe, strong data protection rules are good for business because they
enhance consumers' confidence. Worth noting is the point she made about the
US government agency's proposal for a Commercial Privacy Bill of Rights.
Although in principle in its favour, she did not agree with the use of only
voluntary codes of conduct.

Cameron Kerry announced that his department would soon release a White Paper
promoting consumer privacy that would provide a roadmap for the US
Government and consist of four pillars:
1) a consumer privacy Bill of Rights to provide protections for consumers
and greater certainty for businesses, and provide a uniform set of standards
that expands on the notice and choice principles;
2) it will convene multi-stakeholder processes including EU entities to
develop legally enforceable codes of conduct that expand on the Bill of
Rights, based on a voluntary participation by both consumers and businesses,
and enforceable by the Federal Trade Commission (FTC) once participants
would agree to abide by them;
3) "effective, fair and consistent" enforcement by the FTC;
4) a global interoperability in which "the Bill of Rights is a strong step
towards an international consensus on international privacy principles".

Although his speech sounded more like the usual Department of Commerce's
discourse considering privacy as an impediment to the benefits of free
trade, and unrestricted flows of information as enabling economic growth,
Mr. Kerry had a point when he alluded to the misconception some Europeans
have when they consider Americans as careless about privacy, and pinpointed
the deployment of data breach notification rules in the US as having had a
powerful incentive on companies' compliance with privacy rules.

During the next session about "Ensuring co-ordinated and harmonised data
protection laws across the EU", Jacob Kohnstamm, Chairman of the Article 29
Data Protection Working Party, emphasized that enforcing the rule of
establishment of the new data protection framework would only work if data
protection authorities are given much stronger enforcement powers and their
level of coordination is increased, without which "a level playing field in
the EU is impossible". Industry representatives all concurred on the need to
implement the "main establishment" rule, some saying that binding corporate
rules would limit the risk of forum shopping. Stephen Deadman from Vodafone
argued that the EU data protection regime is too legalistic ("we need less
rules, not more") while it should focus more on operational privacy. John
Vassallo of Microsoft, also in favour of the "main establishment" rule,
insisted that in order to avoid forum shopping, the criterion should be the
"primary physical infrastructure for processing data, the actual servers"
and that a clearer and more harmonized legal framework must be promoted.
Joan Antokol from Park Legal showed, through various examples based on her
health privacy practitioner's experience, the ways some European rules are
incoherent and should be harmonized across all EU Member States, while the
focus should be to eliminate rules and expenses that do bring added value to
protect individuals' privacy.

In a second session entitled "What will the effect of the new privacy rules
be on the online lives of EU citizens?", Marie-Helene Boulanger from the
Data Protection Unit of the European Commission stated that a recent survey
of European consumers shows that the expectation of individuals with regard
to the protection of their personal data is decreasing, pointing to the fact
that 70% of Europeans are concerned about the secondary use of their data
without consent, and the increasing demand of individuals for the
notification of data breaches by companies. Richard Allan of Facebook, asked
how his company complied in practice with the subject access right of the
Data Protection Directive and how it reacted to the string of complaints by
an Austrian law student before the Irish Data Protection Commissioner,
argued that his company had started discussions with the Irish authority to
try to iron out the scope of subject access requests in practice, although
he avoided to answer the more specific question as to whether that right to
access also included the meta-data associated with each Facebook user's

In the session about "Rebuilding consumer confidence in data protection
laws", Kostas Rossoglou of BEUC argued about the need for stronger redress
and compensation rules, including a right to collective redress; also that
self-regulation is only a solution if it fully complies with the law,
benefits consumers, and is effectively enforced, which has according to him,
never been the case thus far. David Smith of the UK Data Protection
Authority said that his office was interested in seeing trustmarks and seals
developed in a simple and effective way; that fines drive compliance; and
that individuals' access rights should be simple to use, whereas it is
generally hard to exercise in practice.

On the last panel entitled "What shape for globalised data protection and
privacy laws in the 21st century?", Peter Hustinx, the European Data
Protection Supervisor, stated about the prospective European data protection
legal framework that the criterion of application would be enhanced with a
"targeting" rule: whether the data protection rules apply will depend on
whether the data controllers are considered to target EU-based individuals
when processing their personal data, or monitor them online. He also added
that the meaning and scope of the concept of "adequate protection" would
likely be clarified by the European Commission.

Event webpage

(Contribution by Cedric Laurant - EDRi observer)

9. UK: Medical records in the open data programme?

British Prime Minister David Cameron announced that, under his "open
data" programme, all UK medical records will in future be made
available to researchers in both academia and the pharmaceutical
industry, unless patients opt out. They will be "anonymised"; at
present this process consists of replacing patients' names with the
combination of postcode plus date of birth, by which most citizens can
easily be re-identified.

Everyone 'to be research patient', says David Cameron (5.12.2011)

NHS open data plans 'death of privacy' (5.12.2011)

Further Detail on Open Data Measures in the Autumn Statement 2011

How anonymous is NHS patient data? (12.12.2011)

Here we go again (4.12.2011)

Anonymity is hard to do well - scientific papers

(Contribution by Ross Anderson - EDRi-member FIPR -UK)

10. Recommended Action

CSISAC, the Civil Society Information Society Advisory Council to the OECD,
of which EDRI is a founding and steering committee member, is looking for
its Community Manager and Liaison to OECD. If you are a brilliant and
experienced community manager, people-motivator, public-interest advocate,
while being a diplomat, knowledgeable and showing strong interest in policy
related to the internet, telecommunications and information society, check
the job offer and full job description at
Deadline for applications by email: 31 December 2011

11. Recommended Reading

Digital Agenda: Turning government data into gold (12.12.2011)

EDPS opinion on EU-US Passenger Name Record agreement (13.12.2011)

The State of Surveillance: The Data (1.12.2011)

Global Information Society Watch report 2011 - Internet rights and

Internet censorship against streaming in France? (1.12.2011)

12. Agenda

27-30 December 2011, Berlin, Germany
28C3 - 28th Chaos Communication Congress

25-27 January 2012, Brussels, Belgium
Computers, Privacy and Data Protection 2012

26 January 2012, Schaarbeek, Belgium
Big Brother Awards Belgium

25 February 2012, Szeged, Hungary
Copyright and Human Rights in the Information Age: Conflict or Harmonious
CfP by 16 January 2012

16-18 April 2012, Cambridge, UK
Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance
OER12 and the OCW Consortium's Global Conference

14-15 June 2012, Stockholm, Sweden
EuroDIG 2012
Submissions open by 31 December 2011

9-10 July 2012, Barcelona, Spain
8th International Conference on Internet Law & Politics: Challenges and
Opportunities of Online Entertainment
Abstracts deadline: 20 December 2011

12-14 September 2012, Louvain-la-Neuve, Belgium
Building Institutions for Sustainable Scientific, Cultural and genetic
Resources Commons.
Call for abstracts deadline: 15 January 2012

13. About

The next EDRi-gram will be published on 18 January 2012.

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 28 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.

This EDRi-gram has been published with financial support from the EU's
Fundamental Rights and Citizenship Programme.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users

- Newsletter archive

Back issues are available at:

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list